strepsirrhini/lemur
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
lemur/nextcloud/ansible/nextcloud_appliance.yaml

638 lines
21 KiB
YAML
Raw Blame History

---
- hosts: all
vars:
nextcloud_path: "{{ '/usr/share/nginx/html' if ansible_distribution_file_variety == 'RedHat' else '/var/www/html' }}"
nextcloud_occ: "{{ nextcloud_path }}/occ"
nginx_path: "{{ '/etc/nginx/conf.d' if ansible_distribution_file_variety == 'RedHat' else '/etc/nginx/sites-enabled' }}"
# FIXME: Set PHP version from Debian version: 7.4 for Debian 11, 7.3 for Debian 10
php_ini_path: "{{ '/etc' if ansible_distribution_file_variety == 'RedHat' else '/etc/php/7.3/fpm' }}"
php_pool_path: "{{ '/etc/php-fpm.d' if ansible_distribution_file_variety == 'RedHat' else '/etc/php/7.3/fpm/pool.d' }}"
php_fpm_service: "{{ 'php-fpm' if ansible_distribution_file_variety == 'RedHat' else 'php7.3-fpm' }}"
document_root: "{{ '/usr/share/nginx/html' if ansible_distribution_file_variety == 'RedHat' else '/var/www/html' }}"
web_user: "{{ 'nginx' if ansible_distribution_file_variety == 'RedHat' else 'www-data' }}"
pg_hba_conf: "{{ '/var/lib/pgsql/data/pg_hba.conf' if ansible_distribution_file_variety == 'RedHat' else '/etc/postgresql/13/main/pg_hba.conf' }}"
redis_dir: "{{ '/etc' if ansible_distribution_file_variety == 'RedHat' else '/etc/redis' }}"
redis_user: "nextcloud"
redis_url: "https://127.0.0.1"
redis_password: "2XenoNNBtLJqrELTfmCLum/42Guz72Ym0RPMxXh5+pT"
nextcloud_version: "22.1.0"
nextcloud_checksum: "sha256:4820808f799146853604e1fa27d7f292449018a44dc73bf928a97b02028318ba"
nextcloud_database: "nextcloud"
nextcloud_database_user: "nextcloud"
nextcloud_database_user_password: "nVdUe6%Ua9c,Rd.8BVugPHPm2yqUSXWCAy%1GXOQGn8tg9F?k%R"
nextcloud_admin_user: "nextcloud_admin"
nextcloud_admin_password: "prueba123"
#nextcloud_domain_name: "{{ ansible_default_ipv4.address }}"
nextcloud_domain_name: "nextcloud"
# The only way to make notify_push work without a signed cert is to use plain http
notify_push_nextcloud_url: "http://localhost"
key_size: 4096
key_type: "RSA" # Others include DSA, ECC, Ed25519, Ed448, X25519, X448
country_name: "MX"
email_address: "ssl@{{ nextcloud_domain_name }}"
organization_name: "AnsibleNextcloud"
#server_hostname: "{{ ansible_hostname }}"
server_hostname: "{{ nextcloud_domain_name }}"
redis_cert_private_key: "/etc/pki/tls/private/redis-cert-private-key.pem"
redis_cert: "/etc/pki/tls/certs/redis-self-cert.crt"
redis_csr: "/etc/pki/tls/certs/redis-self.csr"
generate_self_signed_cert: true
nginx_ssl_cert_file: "/etc/pki/tls/private/nginx-self-signed.crt"
nginx_ssl_key_file: "/etc/pki/tls/certs/nginx-self-signed.key"
nginx_ssl_csr_file: "/etc/pki/tls/certs/nginx-self-signed.csr"
#nextcloud_domain: "cloud.example.com"
code_enable_ssl: false
code_enable_ssl_termination: true
code_ssl_key: ""
code_ssl_cert: ""
code_ssl_ca: ""
pre_tasks:
- name: Update the /etc/hosts file with node host name
tags: etchostsupdate
become: yes
become_user: root
lineinfile:
path: "/etc/hosts"
regexp: ".*\t{{ ansible_hostname }}"
line: "{{ ansible_env.SSH_CONNECTION.split(' ')[2] }}\t{{ ansible_hostname }}"
state: present
backup: yes
register: etchostsupdate
- name: Update the /etc/hosts file with node domain name
tags: etchostsupdate_domain
become: yes
become_user: root
lineinfile:
path: "/etc/hosts"
line: "{{ ansible_env.SSH_CONNECTION.split(' ')[2] }}\t{{ nextcloud_domain_name }}"
state: present
backup: yes
- name: Create fact directory
file:
path: /etc/ansible/facts.d/
state: directory
- name: Create nextcloud custom facts
copy:
dest: /etc/ansible/facts.d/nextcloud.fact
mode: 0775
force: yes
content: |
#!/usr/bin/bash
FACTS=''
INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ status | grep installed | cut -d':' -f 2 | sed 's/ //')
if [[ "${INSTALLED}" == "true" ]]; then
FACTS="{\"is_installed\": true"
CODE_INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ app:list | grep richdocuments)
if [[ "${CODE_INSTALLED}" == *"richdocuments"* ]]; then
FACTS="${FACTS},\n\"is_code_installed\": true}"
else
FACTS="${FACTS},\n\"is_code_installed\": false}"
fi
else
FACTS="{\"is_installed\": false"
FACTS="${FACTS},\n\"is_code_installed\": false}"
fi
echo -e "${FACTS}"
tags:
- check_facts
- name: Check if nextcloud is unpacked
stat:
path: /var/www/html/config/config.sample.php
register: nextcloud_is_unpacked
- name: Reload facts
setup:
tags:
- check_facts
- name: Include a play after another play
include: redhat_pre_tasks.yaml
when:
ansible_distribution_file_variety == 'RedHat'
tasks:
- name: Display local facts
debug: var=ansible_local
tags:
- check_facts
# System setup
- name: sysctl -w net.core.somaxconn=65535
sysctl:
name: net.core.somaxconn
value: "65535"
state: present
reload: true
sysctl_file: /etc/sysctl.conf
- name: Red Hat Distros Tasks
block:
- name: Install System Packages
action: package name={{item}} state=present
with_items:
- nginx
- sudo
- php-fpm
- postgresql
- postgresql-server
- python3-psycopg2
- redis
- php-pgsql
- php-cli
- php-curl
- php-dom
- php-exif
- php-fileinfo
- php-gd
- php-iconv
- php-json
- php-ldap
- php-mbstring
- php-openssl
- php-pcre
- php-pdo
- php-session
- php-simplexml
- php-xmlwriter
- php-spl
- php-zip
- php-filter
- php-ldap
- php-smbclient
- php-imap
- php-gmp
- php-process
- php-pecl-imagick
- php-pecl-memcached
- php-pecl-apcu
- php-pecl-redis
- python3-pyOpenSSL
- name: Import Collabora key
ansible.builtin.rpm_key:
state: present
key: https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos8/repodata/repomd.xml.key
- name: Add Collabora repository for Red Hat distros
yum_repository:
name: CollaboraOnline
description: Collabora Online
baseurl: https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos8
- name: Install Collabora Online Packages
action: package name={{item}} state=present
with_items:
- coolwsd
- CODE-brand
- name: Check if the '/var/lib/pgsql/data' directory exists
ansible.builtin.stat:
path: "/var/lib/pgsql/data"
register: pgsql_data_dir
- name: Initialize postgres database
ansible.builtin.shell:
cmd: /usr/bin/postgresql-setup --initdb
when: not pgsql_data_dir.stat.isdir is defined
when:
ansible_distribution_file_variety == 'RedHat'
- name: Debian Distros Tasks
block:
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
- name: Install System Packages
action: package name={{item}} state=present
with_items:
- dirmngr
- nginx
- sudo
- php-fpm
- postgresql-all
- python3-psycopg2
- php-pgsql
- php-cli
- php-curl
- php-gd
- php-json
- php-ldap
- php-mbstring
#- php7.4-xml # en Debián 10 la versión de PHP es 7.3 y en este paquete el 7.4 causa conflicto
- php-xml
#- php-xmlwriter
- php-zip
- php-ldap
#- php-smbclient
- php-imap
- php-gmp
#- php-process
- php-imagick
- php-memcached
- php-apcu
- php-redis
- python3-openssl
- name: Install Redis for Debian versions differen than 10
action: package name=redis state=present
when: ansible_distribution_version != "10"
- name: Install Redis for Debian 10
action: apt deb="{{ item }}" state=present
with_items:
- http://sandino.araico.net/parches/Debian/redis/redis-tools_5.0.3-4+deb10u4_amd64.deb
- http://sandino.araico.net/parches/Debian/redis/redis-server_5.0.3-4+deb10u4_amd64.deb
- http://sandino.araico.net/parches/Debian/redis/redis_5.0.3-4+deb10u4_all.deb
when: ansible_distribution_version == "10"
- name: Get php version
shell: "php -v | grep built | cut -d '.' -f 1,2 | sed 's/PHP //'"
register: php_version
tags:
- php_ver
- name: Get PostgreSQL version
shell: "psql -V | cut -d ' ' -f 3 | cut -d '.' -f 1"
register: postgres_version
tags:
- php_ver
- name: Update the php_ini_path variable
set_fact:
php_ini_path: "/etc/php/{{ php_version.stdout }}/fpm"
- name: Update the pg_hba_conf variable
set_fact:
pg_hba_conf: "/etc/postgresql/{{ postgres_version.stdout }}/main/pg_hba.conf"
- name: Update the php_pool_path variable
set_fact:
php_pool_path: "/etc/php/{{ php_version.stdout }}/fpm/pool.d"
- name: Update the php_fpm_service variable
set_fact:
php_fpm_service: "php{{ php_version.stdout }}-fpm"
- name: Add Collabora apt key by id from keyserver for Debian 10
ansible.builtin.apt_key:
#keyserver: keyserver.ubuntu.com
id: 0C54D189F4BA284D
data: "{{ lookup('file', 'files/0C54D189F4BA284D.asc') }}"
tags:
- debian-collabora-repos
- collabora
- name: Add Collabora repository for Debian distros (10)
ansible.builtin.apt_repository:
repo: deb https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian10 ./
state: present
tags:
- debian-collabora-repos
- collabora
- name: Install Collabora Online Packages
action: package name={{item}} state=present
with_items:
- coolwsd
- code-brand
tags:
- collabora
- name: Remove nginx default configuration
ansible.builtin.file:
path: /etc/nginx/sites-enabled/default
state: absent
tags:
- clean_defaults
when:
ansible_distribution_file_variety == 'Debian'
- name: Configure Nginx Nextcloud pool
template: src=files/nextcloud_nginx.conf.j2 dest="{{ nginx_path }}/nextcloud_nginx.conf"
tags:
- notify_push
- name: Configure PHP
template: src=files/php.ini.j2 dest="{{ php_ini_path }}/php.ini"
- name: Configure PHP FPM pool
template: src=files/www.conf.j2 dest="{{ php_pool_path }}/www.conf"
# nextcloud specific tasks
#- name: Ensure that Nextcloud target directory exists
# ansible.builtin.file:
# path: /var/www/nextcloud
# state: directory
# mode: '0755'
# owner: "{{ web_user }}"
- name: Download Nextcloud
get_url:
url: "https://download.nextcloud.com/server/releases/nextcloud-{{nextcloud_version}}.tar.bz2"
dest: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2"
checksum: "{{ nextcloud_checksum }}"
when:
nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true
- name: Unpack Nextcloud
ansible.builtin.unarchive:
src: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2"
dest: "{{ nextcloud_path }}"
remote_src: yes
owner: "{{ web_user }}"
extra_opts:
- --strip-components=1
when:
nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true
- name: Create nginx ssl directory
file:
path: /etc/ssl/nginx
state: directory
- name: Generate Nginx SSL Private Key
openssl_privatekey:
path: "{{ nginx_ssl_key_file }}"
size: "{{ key_size }}"
type: "{{ key_type }}"
backup: yes
- name: Generate Nginx SSL CSR
openssl_csr:
path: "{{ nginx_ssl_csr_file }}"
privatekey_path: "{{ nginx_ssl_key_file }}"
country_name: "{{ country_name }}"
organization_name: "{{ organization_name }}"
email_address: "{{ email_address }}"
common_name: "nextcloud"
subject_alt_name: "DNS:{{ ansible_hostname }},DNS:{{ nextcloud_domain_name }},DNS:{{ server_hostname }}"
- name: Generate Nginx Self Signed OpenSSL certificate
openssl_certificate:
path: "{{ nginx_ssl_cert_file }}"
privatekey_path: "{{ nginx_ssl_key_file }}"
csr_path: "{{ nginx_ssl_csr_file }}"
provider: selfsigned
- name: Enable nginx service
systemd:
name: nginx
enabled: yes
state: restarted
tags:
- notify_push
- name: Enable php-fpm service
systemd:
name: "{{ php_fpm_service }}"
enabled: yes
state: restarted
- name: Enable PostgreSQL service
systemd:
name: postgresql
enabled: yes
state: restarted
- name: Generate Redis SSL Private Key
openssl_privatekey:
path: "{{ redis_cert_private_key }}"
size: "{{ key_size }}"
type: "{{ key_type }}"
backup: yes
owner: redis
#FIXME versionar para debian 10 o crear un paquete de redis para debian 10 con soporte de TLS
- name: Generate Redis SSL CSR
openssl_csr:
path: "{{ redis_csr }}"
privatekey_path: "{{ redis_cert_private_key }}"
country_name: "{{ country_name }}"
organization_name: "{{ organization_name }}"
email_address: "{{ email_address }}"
common_name: "{{ server_hostname }}"
owner: redis
- name: Generate Redis Self Signed OpenSSL certificate
openssl_certificate:
path: "{{ redis_cert }}"
privatekey_path: "{{ redis_cert_private_key }}"
csr_path: "{{ redis_csr }}"
provider: selfsigned
owner: redis
- name: Set Redis Configuration
template: src=files/redis.conf.j2 dest="{{ redis_dir }}/redis.conf" owner=root group=root mode=0644
- name: Enable Redis service
systemd:
name: redis
enabled: yes
state: restarted
#when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat"
tags:
- check_redis
- name: "Create database user"
postgresql_user:
name: "{{ nextcloud_database_user }}"
password: "{{ nextcloud_database_user_password }}"
become_user: postgres
become: yes
tags:
- database
- name: "Create nextcloud database"
postgresql_db:
name: "{{ nextcloud_database }}"
encoding: UTF-8
template: template0
owner: "{{ nextcloud_database_user }}"
become_user: postgres
become: yes
tags:
- database
- name: Allow postgres user to connect to the database
blockinfile:
dest: "{{ pg_hba_conf }}"
block: |
host all all 0.0.0.0/0 md5
- name: Install nextcloud to database
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" maintenance:install --database "pgsql" --database-name "{{ nextcloud_database }}" --database-user "{{ nextcloud_database_user }}" --database-pass "{{ nextcloud_database_user_password}}" --admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_password }}"
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
when:
ansible_local['nextcloud']['is_installed'] != true
- name: Configure Nextcloud trusted domain
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_domains 1 --value={{ nextcloud_domain_name}}
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
- name: Configure localhost as trusted proxy
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 0 --value=127.0.0.1
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- notify_push
- name: "configure {{ nextcloud_domain }} as trusted proxy"
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 1 --value={{ nextcloud_domain_name}}
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- notify_push
- name: "configure ::1 as trusted proxy"
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 2 --value=::1
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- notify_push
- name: "Import certificate to Nextcloud instance"
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" security:certificates:import "{{ nginx_ssl_cert_file }}"
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- certificates
# Redis como memcache https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html?highlight=cache
- name: Configure Nextcloud Redis
ansible.builtin.shell:
cmd: |
/usr/bin/php "{{ nextcloud_occ }}" config:system:set redis host --value=localhost
/usr/bin/php "{{ nextcloud_occ }}" config:system:set redis port --value=6379
/usr/bin/php "{{ nextcloud_occ }}" config:system:set redis dbindex --value=0
/usr/bin/php "{{ nextcloud_occ }}" config:system:set redis user --value="{{ redis_user }}"
/usr/bin/php "{{ nextcloud_occ }}" config:system:set redis password --value="{{ redis_password }}"
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
#when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat"
tags:
- nextcloud_redis
- name: Enable Nextcloud High Performance Backend
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" app:enable notify_push
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
#when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat"
- name: Install Nextcloud High Performance Backend Systemd Service
template: src=files/notify_push.service.j2 dest=/etc/systemd/system/notify_push.service
#when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat"
- name: Set Nextcloud High Performance Backend Systemd Service environment
template: src=files/notify_push_environment.j2 dest="{{ nextcloud_path }}/apps/notify_push/environment"
#when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat"
- name: Enable Nextcloud Notify Push Service
systemd: state=restarted name=notify_push daemon_reload=yes
#when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat"
- name: Setup Nextcloud High Performance Backend
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" notify_push:setup "https://{{ nextcloud_domain_name }}/push"
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
#when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat"
tags:
- redis
- notify_push
- name: Reload facts after Nextcloud installation
setup:
tags:
- check_facts
- name: Copy collabora configuration files
template: src=files/coolwsd.xml.j2 dest=/etc/coolwsd/coolwsd.xml
- name: Enable Libre Office Web services
systemd:
name: coolwsd
enabled: yes
state: restarted
tags:
- nextcloud_collabora
- name: Install Collabora Office nextcloud app
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" app:install richdocuments
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- nextcloud_collabora
when:
ansible_local['nextcloud']['is_code_installed'] != true
- name: Reload facts after Collabora Nextcloud app installation
setup:
tags:
- check_facts
- name: Configure Collabora Office nextcloud app
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:app:set --value "https://{{nextcloud_domain_name}}" richdocuments wopi_url
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- nextcloud_collabora
when:
ansible_local['nextcloud']['is_code_installed'] == true
- name: Activate Collabora Office nextcloud app
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" richdocuments:activate-config
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- nextcloud_collabora
when:
ansible_local['nextcloud']['is_code_installed'] == true
- name: Allow local remote servers for nextcloud
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set allow_local_remote_servers --value true --type bool
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- nextcloud_collabora
when:
ansible_local['nextcloud']['is_code_installed'] == true
Reference in a new issue View git blame Copy permalink